TYPO3 Core

Thanks for the report. Did you report this to security@typo3.org?

No, I didn't know there was an email address to report the issue.

p.s. ignore the attached file. It has side effects when not used with ARCHIVE_ZIP_PARAM_PATH (aka PCLZIP_OPT_PATH).

What I did in Piwik was to use PCLZIP_CB_PRE_EXTRACT, defining a callback function to examine each path and return an appropriate result code. A similar fix could be applied to typo3/sysext/tsconfig_help/mod1/index.php's unzip().

Reference: http://dev.piwik.org/trac/changeset/3311

Thanks for the update. Please report it to the security team, which will take further investigations and steps to fix the issue.

I've prepared a patch and a use-case. For that I created a zip file with relative paths.

The dangerous zip file includes the following files:
$ zipinfo dangerous.zip
Archive: dangerous.zip 3468 bytes 5 files
rw-r--r- 3.0 unx 1163 tx defN 9-Dec-10 21:12 testfile_5.txt
rw-r--r- 3.0 unx 1163 tx defN 9-Dec-10 21:11 ../testfile_4.txt
rw-r--r- 3.0 unx 1163 tx defN 8-Dec-10 15:36 ../../testfile_3.txt
rw-r--r- 3.0 unx 1163 tx defN 8-Dec-10 15:36 ../../../testfile_2.txt
rw-r--r- 3.0 unx 1163 tx defN 8-Dec-10 15:36 ../../../../testfile.txt
5 files, 5815 bytes uncompressed, 2610 bytes compressed: 55.1%

Now, the only issue where this happens in the core is in the "tsconfig_help" module when rebuilding the new manuals. This works like this:

- The manuals of each installed extension (.sxw is just a zip file btw) get extracted by the EXT:tsconfig_help/mod1/index.php and only the file "contents.xml" gets loaded into a string. For that, the module extracts all files of the manual.sxw

To reproduce:

- Take the dangerous.zip file and move it to docs/manual.sxw of any installed extension on your TYPO3 installation.
- Then go to the tsconfig_help module and rebuild the index. The testfiles should be outside of your main TYPO3 installation.

The patch disallows .. files and thus solves the whole issue directly in the unzip class.